Bug 807707 - (CVE-2013-1635) VUL-1: php5: CVE-2013-1635 CVE-2013-1643 SOAP security issues
(CVE-2013-1635)
VUL-1: php5: CVE-2013-1635 CVE-2013-1643 SOAP security issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
wasL3:39030 maint:released:sle10-s...
: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-06 06:30 UTC by Thomas Biege
Modified: 2018-10-19 18:09 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
using this one for CVE-2013-1635 (2.05 KB, text/plain)
2013-05-09 14:19 UTC, Petr Gajdos
Details
using this one for CVE-2013-1643 (4.48 KB, text/plain)
2013-05-09 14:20 UTC, Petr Gajdos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2013-03-06 06:30:26 UTC
Hi.
There is a security bug in package 'php5'.

This information is from 'Debian'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://www.debian.org/security/

CVE number: CVE-2013-1635
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE number: CVE-2013-1643
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
CVSS v2 Base Score: 2.6 (low) (AV:N/AC:H/Au:N/C:P/I:N/A:N)


Original posting:


 CVE-2013-1643 SOAP security issues

-------- Original-Nachricht --------
Betreff: [Full-disclosure] [SECURITY] [DSA 2639-1] php5 security update
Weitersenden-Datum: Tue,  5 Mar 2013 17:23:09 +0000 (UTC)
Weitersenden-Von: list@bendel.debian.org (Mailing List Manager)
Datum: Tue,  5 Mar 2013 18:22:41 +0100 (CET)
Von: Thijs Kinkhorst <thijs@debian.org>
Antwort an: full-disclosure@lists.grok.org.uk
An: debian-security-announce@lists.debian.org

-------------------------------------------------------------------------
Debian Security Advisory DSA-2639-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst
March 05, 2013                         http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : php5
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-1635 CVE-2013-1643
Debian Bug     : 702221

Several vulnerabilities have been discovered in PHP, the web scripting
language. The Common Vulnerabilities and Exposures project identifies
the following issues:

CVE-2013-1635

    If a PHP application accepted untrusted SOAP object input remotely
    from clients, an attacker could read system files readable for the
    webserver.

CVE-2013-1643

    The soap.wsdl_cache_dir function did not take PHP open_basedir
    restrictions into account. Note that Debian advises against relying
    on open_basedir restrictions for security.

For the stable distribution (squeeze), these problems have been fixed in
version 5.3.3-7+squeeze15.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 5.4.4-14.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
Comment 1 Swamp Workflow Management 2013-03-06 23:00:17 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2013-03-09 07:23:36 UTC
Name: CVE-2013-1635 {Novell Bug: 807707} 

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote
 attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.
    
    

Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=918196
Reference: CONFIRM: http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74


======================================================
Name: CVE-2013-1643 {Novell Bug: 807707} 

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunctio
n with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.
    
    

Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=918187
Reference: CONFIRM: http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36
Comment 3 Marcus Meissner 2013-04-30 14:24:56 UTC
From
https://bugzilla.redhat.com/show_bug.cgi?id=918187

some more information and incremental CVE ID:

Comment 5 Vincent Danen 2013-03-20 10:24:15 EDT

This issue was not correctly fixed in 5.4.12 or 5.3.22, so CVE-2013-1824 was assigned to the incorrect fix present in 5.4.12 and 5.3.22.  It was correctly fixed in 5.4.13 and 5.3.22.

Since we have not fixed this in our package yet, CVE-2013-1824 does not apply to us (we never provided the incorrect fix).  As Remi noted:


First fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4

Improved fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d

Revert previous + real fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6

Fix ZTS:
http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623
Comment 14 Michal Kubeček 2013-05-09 12:56:25 UTC
Mike, which package does the L3:39030 customer need the PTF for, php5
(PHP 5.2) or php53 (PHP 5.3)? I haven't checked yet whether 5.2 is affected
and whether the fixes apply.
Comment 16 Petr Gajdos 2013-05-09 14:19:46 UTC
Created attachment 538575 [details]
using this one for CVE-2013-1635
Comment 17 Petr Gajdos 2013-05-09 14:20:45 UTC
Created attachment 538576 [details]
using this one for CVE-2013-1643
Comment 18 Petr Gajdos 2013-05-09 14:21:21 UTC
11sp3 sr#26144
Comment 23 Petr Gajdos 2013-05-16 05:30:17 UTC
Should I do update now?
Comment 24 Petr Gajdos 2013-05-27 08:21:24 UTC
Ping :-). I'll significantly decrease priority and severity in case it is still ordinary VUL-1.
Comment 25 Petr Gajdos 2013-05-30 07:50:54 UTC
Decreasing priority and severity to the state before L3.
Comment 26 Petr Gajdos 2013-07-04 14:48:30 UTC
Patches from comment 16 and comment 17 applied to 10sp3, 11, php53/11sp2, 12.2, and 12.3. php53/11sp3 has these fixes yet (comment 18).

See ibs/obs home:pgajdos:maintenance:php5*.
Comment 28 Bernhard Wiedemann 2013-07-17 16:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (807707) was mentioned in
https://build.opensuse.org/request/show/183542 Maintenance /
Comment 29 Bernhard Wiedemann 2013-07-18 12:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (807707) was mentioned in
https://build.opensuse.org/request/show/183662 Evergreen:11.2 / php5
Comment 30 Swamp Workflow Management 2013-07-24 12:04:26 UTC
openSUSE-SU-2013:1244-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 807707,828020,829207
CVE References: CVE-2013-1635,CVE-2013-1643,CVE-2013-4113,CVE-2013-4635
Sources used:
openSUSE 12.3 (src):    php5-5.3.17-3.4.1
openSUSE 12.2 (src):    php5-5.3.15-1.16.1
Comment 31 Swamp Workflow Management 2013-07-24 13:05:09 UTC
openSUSE-SU-2013:1249-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 807707,828020,829207
CVE References: CVE-2013-1635,CVE-2013-1643,CVE-2013-4113,CVE-2013-4635
Sources used:
openSUSE 11.4 (src):    php5-5.3.5-355.1
Comment 35 Swamp Workflow Management 2013-07-31 18:04:48 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 36 Swamp Workflow Management 2013-08-09 15:04:55 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 37 Swamp Workflow Management 2013-08-09 16:50:28 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SLES4VMWARE 11-SP1-LTSS (i386, x86_64)
Comment 38 Swamp Workflow Management 2013-08-09 17:06:38 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 39 Swamp Workflow Management 2013-08-09 17:19:22 UTC
Update released for: apache2-mod_php53, php53, php53-bcmath, php53-bz2, php53-calendar, php53-ctype, php53-curl, php53-dba, php53-debuginfo, php53-debugsource, php53-devel, php53-dom, php53-enchant, php53-exif, php53-fastcgi, php53-fileinfo, php53-fpm, php53-ftp, php53-gd, php53-gettext, php53-gmp, php53-iconv, php53-imap, php53-intl, php53-json, php53-ldap, php53-mbstring, php53-mcrypt, php53-mysql, php53-odbc, php53-openssl, php53-pcntl, php53-pdo, php53-pear, php53-pgsql, php53-phar, php53-posix, php53-pspell, php53-readline, php53-shmop, php53-snmp, php53-soap, php53-sockets, php53-sqlite, php53-suhosin, php53-sysvmsg, php53-sysvsem, php53-sysvshm, php53-tidy, php53-tokenizer, php53-wddx, php53-xmlreader, php53-xmlrpc, php53-xmlwriter, php53-xsl, php53-zip, php53-zlib
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 40 Swamp Workflow Management 2013-08-16 13:08:08 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 41 Swamp Workflow Management 2013-08-16 15:49:11 UTC
Update released for: apache2-mod_php5, php5, php5-bcmath, php5-bz2, php5-calendar, php5-ctype, php5-curl, php5-dba, php5-dbase, php5-debuginfo, php5-devel, php5-dom, php5-exif, php5-fastcgi, php5-ftp, php5-gd, php5-gettext, php5-gmp, php5-hash, php5-iconv, php5-imap, php5-json, php5-ldap, php5-mbstring, php5-mcrypt, php5-mhash, php5-mysql, php5-ncurses, php5-odbc, php5-openssl, php5-pcntl, php5-pdo, php5-pear, php5-pgsql, php5-posix, php5-pspell, php5-readline, php5-shmop, php5-snmp, php5-soap, php5-sockets, php5-sqlite, php5-suhosin, php5-sysvmsg, php5-sysvsem, php5-sysvshm, php5-tidy, php5-tokenizer, php5-wddx, php5-xmlreader, php5-xmlrpc, php5-xmlwriter, php5-xsl, php5-zip, php5-zlib
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 42 Marcus Meissner 2013-08-28 06:38:45 UTC
done